felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(profile): small improvment on systemd profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2024-05-18 13:09:25 +01:00
parent 17bfd0e869
commit 5e6af16580
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
5 changed files with 7 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

3
apparmor.d/groups/systemd/systemd-localed
View file

@ -14,9 +14,6 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
include <abstractions/consoles> include <abstractions/consoles>
include <abstractions/common/systemd> include <abstractions/common/systemd>
# Needed?
audit capability net_admin,
unix (bind) type=stream addr=@@{hex16}/bus/systemd-localed/system, unix (bind) type=stream addr=@@{hex16}/bus/systemd-localed/system,
#aa:dbus own bus=system name=org.freedesktop.locale1 #aa:dbus own bus=system name=org.freedesktop.locale1

6
apparmor.d/groups/systemd/systemd-machine-id-setup
View file

@ -19,21 +19,21 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) {
ptrace (read), ptrace (read),
mount flags=(rw rslave) -> /, mount options=(rw rslave) -> /,
umount /etc/machine-id, umount /etc/machine-id,
@{exec_path} mr, @{exec_path} mr,
/ r, / r,
/etc/machine-id rw,
/etc/ r, /etc/ r,
/etc/machine-id rw,
/var/ r, /var/ r,
@{PROC}/1/environ r, @{PROC}/1/environ r,
@{PROC}/cmdline r, @{PROC}/cmdline r,
@{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/osrelease r,
owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/setgroups r, owner @{PROC}/@{pid}/setgroups r,
owner @{PROC}/@{pid}/stat r,
include if exists <local/systemd-machine-id-setup> include if exists <local/systemd-machine-id-setup>
} }

3
apparmor.d/groups/systemd/systemd-mount
View file

@ -6,8 +6,7 @@ abi <abi/3.0>,
include <tunables/global> include <tunables/global>
@{exec_path} = @{bin}/systemd-mount @{exec_path} = @{bin}/systemd-mount @{bin}/systemd-umount
@{exec_path} += @{bin}/systemd-umount
profile systemd-mount @{exec_path} { profile systemd-mount @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/disks-write> include <abstractions/disks-write>

4
apparmor.d/groups/systemd/systemd-oomd
View file

@ -24,8 +24,8 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
/etc/systemd/oomd.conf r, /etc/systemd/oomd.conf r,
/etc/systemd/oomd.conf.d/{,**} r, /etc/systemd/oomd.conf.d/{,**} r,
@{run}/systemd/io.system.ManagedOOM rw, @{run}/systemd/io.system.ManagedOOM rw,
@{run}/systemd/io.systemd.ManagedOOM rw, @{run}/systemd/io.systemd.ManagedOOM rw,
@{run}/systemd/notify rw, @{run}/systemd/notify rw,
owner @{run}/systemd/journal/socket w, owner @{run}/systemd/journal/socket w,

3
apparmor.d/groups/systemd/systemd-sleep-grub2
View file

@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/system-sleep/grub2.sleep @{exec_path} = @{lib}/systemd/system-sleep/grub2.sleep
profile systemd-sleep-grub @{exec_path} { profile systemd-sleep-grub @{exec_path} {
include <abstractions/base> include <abstractions/base>
include <abstractions/nameservice-strict>
@{exec_path} mr, @{exec_path} mr,
@ -18,8 +19,6 @@ profile systemd-sleep-grub @{exec_path} {
/etc/sysconfig/bootloader r, /etc/sysconfig/bootloader r,
/var/lib/nscd/passwd r,
@{PROC}/@{pid}/maps r, @{PROC}/@{pid}/maps r,
/dev/tty rw, /dev/tty rw,